Hyperelliptic Curves Benjamin Smith Team GRACE INRIA Saclay–ˆIle-de-France Laboratoire d’Informatique de l’Ecole´ polytechnique (LIX) [email protected] ECC Summer School 2015 Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 1 / 38 Recall... Disclaimer So far you’ve seen elliptic curves from both a low-level, implementation point of view and a high-level, theoretical point of view. I’ll try to take a “middlebrow” point of view. (I can’t promise we’ll have the same idea of where “middle” is, though.) Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 2 / 38 Recall... We work over a perfect field k. Perfect?! Every irred. poly. over k has distinct roots in k Equivalently: Either char(k) = 0, or char(k) = p and the Frobenius α αp is an automorphism. 7→ 1 Finite fields: k = Fq (what we’re really interested in) 2 Characteristic 0: k = Q, Q(√13), Q(t), Qp, R, C,... 3 ...But not (e.g.) k = Fq(t) (because then weird stuff happens with t1/p, etc.) Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 3 / 38 Recall... Something (a point, a set, a curve, a function) is defined over k if it is fixed by Gal(k/k). If X is a thing, then X (k) denotes its elements/points defined over k. If k = Fq, then the objects defined over Fq are those fixed by/commuting with the q-power Frobenius. Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 4 / 38 Hyperelliptic Curves From elliptic to hyperelliptic curves We’ve considered cryptosystems built from elliptic curves. But what’s so special about elliptic curves? Today: denotes an algebraic curve over k. X Examples: = P1 = a line X = an elliptic curve : y 2 = x 3 + Ax + B X E : y 2 = f (x) with deg f > 4 (hyperelliptic curves) X ...More generally, a plane curve : F (x, y) = 0 in A2 X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 5 / 38 Hyperelliptic Curves Hyperelliptic Curves : y 2 = f (x) = x d + X ··· with f squarefree, of degree d > 4. (NB: d = 1, 2 = conics; d = 3, 4 = elliptic.) ⇒ ⇒ Hyperelliptic involution: ι :(x, y) (x, y) . 7−→ − d odd = one point at infinity. ⇒ ∞ d even = two points +, at infinity. ⇒ ∞ ∞− Key: P x(P) defines a double cover / ι = P1. 7→ X → X h i ∼ Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 6 / 38 Hyperelliptic Curves The function field If : F (x, y) = 0 is a plane curve over k, X then its function field is k( ) = k(x)[y]/(F (x, y)) . X Its elements are rational fractions in x and y, modulo the curve equation F (x, y) = 0. For more general curves: k( ) := fraction field of the coordinate ring. X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 7 / 38 Divisors Zeroes and Poles Rational functions on have poles and zeroes: X The zeroes of f are the points P on where f (P) = 0. X The poles of f are the points P on where f (P) = . X ∞ Note: (zeroes and poles can occur with multiplicity > 1.) Theorem If f is a nonzero function in k( ), then X 1 f has only finitely many zeroes and poles, and 2 counted with multiplicity, #zeroes(f ) = #poles(f ). Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 8 / 38 Divisors Orders of vanishing Let f be a nonzero function on . X We define ordP (f ) to be the order of vanishing of f at P: ordP (f ) := n if f has a zero of multiplicity n at P ord (f ) := n if f has a pole of multiplicity n at P P − ordP (f ) := 0 otherwise. Useful rules: ordP (fg) = ordP (f ) + ordP (g) for all f , g, P ord (f /g) = ord (f ) ord (g) for all f , g, P P P − P ordP (α) = 0 for all constants α = 0 in k 6 ai bi ordP ( i αi x y ) = n ai bi if the curve αi x y = 0 intersects n times at P P i X Smith (INRIA/LIX) P Hyperelliptic Curves ECC, 24/09/2015 9 / 38 Divisors Principal divisors Each function f = 0 on has an associated 6 X principal divisor: that is, a formal sum div(f ) = ordP (f )(P) . P (Fq) ∈XX 1 div(f ) = 0 if and only if f is constant (in kq 0 ); \{ } 2 div(fg) = div(f ) + div(g) and div(f /g) = div(f ) div(g); − 3 div(f ) = div(g) f = αg for some α = 0 in Fq. ⇐⇒ 6 Functions are determined by their principal divisors, up to constant factors. Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 10 / 38 Divisors The set of principal divisors is denoted Prin( ): X Prin( ) := div(f ): f k( ) . X ∈ X Since div(fg) = div (f ) + div(g), we see that Prin( ) is a group. X If you like exact sequences: 1 k× k( )× Prin( ) 0 . −→ −→ X −→ X −→ Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 11 / 38 Divisors Examples 2 3 Consider the elliptic curve : y = x + 1 over F13. E div(x) = (0, 1) + (0, 1) 2 ; − − ∞ div(y) = ( 1, 0) + (4, 0) + ( 3, 0) 3 ; − − − ∞ div(x 2/y) = 2(0, 1) + 2(0, 1) ( 1, 0) (4, 0) ( 3, 0) ; −x 2 y 1 − − − − − − ∞ div( −xy− ) = (0, 1) + (2, 3) + (0, 1) ( 3, 0) (4, 0). − ∞ − − − − More generally: If f (x, y) = 0 is the line through P and Q, then div(f ) = P + Q + ( (P Q)) 3 . ⊕ − ∞ Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 12 / 38 Divisors General divisors Divisors on are formal sums of points in (k) X X with arbitrary coefficients in Z; We define the (free abelian, infinitely generated) group Div( ) := n (P) , X P P (Fq) n ∈XX o with the nP in Z, and only finitely many nP = 0. 6 Observe that Prin( ) Div( ). X ⊂ X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 13 / 38 Divisors The Picard group The divisor group Div( ) is way too big, X and doesn’t tell us anything about the geometry of . X We work with the quotient Pic( ) := Div( )/Prin( ) . X X X Elements are divisor classes: [D] = D + div(f ): f k . { ∈ } Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 14 / 38 Divisors Degree We have a degree homomorphism deg : Div( ) Z, X → deg( nP (P)) = nP . XP XP Its kernel is a subgroup of Div( ), denoted Div0( ): X X Div0( ) := ker deg = D Div( ) : deg(D) = 0 Div( ) . X { ∈ X } ⊂ X Every function has the same number of zeroes and poles, so 0 0 Prin( ) Div ( ) and Prin( )(k) Div ( )(k) . X ⊂ X X ⊂ X This inclusion is strict for almost all curves: not every divisor of degree zero is principal! Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 15 / 38 Divisors Why are they called divisors? Idea: degree-0 divisors are “parts of functions”. Example: Consider : y 2 = x 3 + 1. The divisors E D = (0, 1) and D = (0, 1) 1 − ∞ 2 − − ∞ are both in Div0( ). Neither is principal, but E D1 + D2 = div(x) . So we can view D1 and D2 as being “parts” (or even “factors”) of the function x... Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 16 / 38 Divisors Degrees of divisor classes deg is well-defined on divisor classes: deg : Pic( ) Z X −→ [D] deg(D) 7−→ (since deg(div(f )) = 0 for all f ). = Div0( ) splits up into divisor classes: we set ⇒ X 0 Pic ( ) := ker(deg : Pic( ) Z) X X → = Div0( )/Prin( ) . X X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 17 / 38 Divisors The map D (D deg(D) , deg(D)) 7→ − ∞ defines isomorphisms = 0 Div( ) ∼ Div ( ) Z X ←→ X × = 0 Pic( ) ∼ Pic ( ) Z . X ←→ X × The “interesting” stuff all happens in Pic0( ). X In fact, Pic0( ) has the structure of an abelian variety: a geometricX object defined by polynomial equations in projective coordinates, with a polynomial group law. (Stop and think about what this means for a minute: in some weird universe, divisor classes are defined by tuples of coordinates, and addition of divisor classes modulo linear equivalence is defined by polynomial formulæ in those coordinates!) Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 18 / 38 Differentials Differentials Differentials on look like gdf , where g and f are in k( ), X X g2 df1 with g1df1 = g2df2 = ( usual derivative) . ⇐⇒ g1 df2 ← Differentials obey the usual product rule: d(fg) = fdg + gdf . Also: d(αf + βg) = αdf + βdg and dα = 0 for α, β in k. For example: on : y 2 = x 3 + 1, we have E 2ydy = 3x 2dx Differentials are not functions on : they give linear functions on the tangent spacesX of . X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 19 / 38 Differentials The space of differentials The differentials on form a one-dimensional X k( )-vector space, Ω( ). X X That is: if we fix some differential dx, then every other differential in Ω( ) is equal to fdx for some function f . X On the other hand: Ω( ) is an infinite-dimensional k-vector space. X Smith (INRIA/LIX) Hyperelliptic Curves ECC, 24/09/2015 20 / 38 Differentials Divisors of differentials Differentials have divisors! First, for each point P of , we fix a local parameter t X P near P on : ie any function with a simple zero at P. X If ω is a differential then ω/dtP is a function, so we set ordP (ω) := ordP (ω/dtP ) (amazingly, ordP (ω) is independent of choice of tP ) and div(ω) := ordP (ω) .